From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Ol1dS-0004el-F4 for garchives@archives.gentoo.org; Mon, 16 Aug 2010 15:30:03 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8C5E3E08C7; Mon, 16 Aug 2010 15:29:49 +0000 (UTC) Received: from mail-ew0-f53.google.com (mail-ew0-f53.google.com [209.85.215.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 522B4E08C7 for ; Mon, 16 Aug 2010 15:29:49 +0000 (UTC) Received: by ewy19 with SMTP id 19so2803508ewy.40 for ; Mon, 16 Aug 2010 08:29:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=iupIjRaZ2M+rfTXzdU8mbnFsjLTJbhh+5tg8TFlWCAY=; b=FyISGGvWYk4WAZLgHHVmQ3j+ulRvy9ppFUEXEVep4a0IWvRDEXz6braNNtsk2NRKfS D3szcfKICILsPCxOxJli1vDUTxNU8+zOq71Ztn5Nv/LALfTX4BGLTPhc2hTY3tmRaN8f 5oeWJARfp6myRQRGU+ycuJ78QF9q/tipIrilQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=Okb84V4PxGxqDjpzWPYjPMukQ0FTsL5qECVsjctquegO+MyfTwVPdW8fOe5dpraYQW ocXe7h09Poud6uwtu4B94VFPRRs06QOuqLMORzeUBNG0HZ1UrpMHvjaiGH/qgmbIUrql oTaqFB5l+Da+JKB72E5ax8OVy8P+Mc/hbWP4k= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.216.4.6 with SMTP id 6mr2695370wei.62.1281972588683; Mon, 16 Aug 2010 08:29:48 -0700 (PDT) Received: by 10.216.49.204 with HTTP; Mon, 16 Aug 2010 08:29:48 -0700 (PDT) In-Reply-To: <4C69483D.1090705@gmail.com> References: <20100813152553.GB21326@nibiru.local> <4C657BCA.9000703@gmail.com> <20100813190533.GB26738@nibiru.local> <4C66EF53.3050701@gmail.com> <4C69483D.1090705@gmail.com> Date: Mon, 16 Aug 2010 08:29:48 -0700 Message-ID: Subject: Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?] From: Mark Knecht To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: ef9d8b7d-ec83-4f62-9811-9d11493b4736 X-Archives-Hash: b73484e3a6da4b79879fc112c107ec41 On Mon, Aug 16, 2010 at 7:16 AM, Bill Longman wrot= e: > On 08/14/2010 12:32 PM, Jarry wrote: >> On 13. 8. 2010 21:05, Enrico Weigelt wrote: >>> * Bill Longman =C2=A0wrote: >>> >>>> Basically just run VMWare/Virtualbox etc and put the services in there= . >>> >>> well, these solutions are way "bigger" (iow: more resource >>> intensive), since they run a complete operation system instance >>> within the virtual machine. >> >> That is why I picked up Linux-VServer (actually, first I tried >> OpenVZ but could not make it run). It is a kind of compromise, >> where all guests share the same kernel. This brings certain >> security implications, but on the other side, I can run dozens >> of guest on a moderate machine, with 4-cores and 8GB memory >> (i.e. a guest running bind takes just about 20MB of memory)... > > This looks rather interesting, Jarry. Is it simply a matter of compiling > the vserver-sources and util-vserver? Did it take much time to set up > the kernel for your box? Or is it pretty much a typical kernel setup? > Any good tools in the util-vserver package? > >> The only service running on my "host" (main system) is sshd, >> which I secured as much as I could. Everything else (web, mail, >> dns, ftp, syslog, X, and plenty of users' services) runs on its >> own guest-system, chrooted in addition (where it was possible). > > Sounds very efficient. > > TIA, > > Bill Certainly looks interesting. I guess the baselayout-vserver packages is somehow for setting up each of the guests? QUESTION: Where does X run? In the host or separate copies in each guest? For a long time I've wanted to set up a single piece of hardware for my parents, but with two screens, two keyboards, two mice. Each user would have what they expect in front of them physically but it's really a single computer. Can that be done using this software? Thanks, Mark